How to Enroll a Mac in Microsoft Intune: Step-by-Step Guide

Enrolling a Mac in Microsoft Intune lets your organization manage macOS devices alongside Windows PCs from a single portal. Whether you deploy MacBooks to employees or support a mixed environment, Mac enrollment in Intune gives you visibility, compliance enforcement, and app deployment without requiring on-premises infrastructure. This step-by-step guide covers everything you need, from preparing the Intune portal to completing the enrollment on the Mac itself.

Before starting, make sure you have an Entra ID account with Intune licenses assigned and admin access to the Microsoft Intune admin center. If you are new to Intune, start with our guide on what Microsoft Intune is and how it works.

Prerequisites for Mac Enrollment in Intune

Before enrolling any Mac, confirm that your environment meets these requirements:

• Microsoft Intune license — included with Microsoft 365 Business Premium, E3, E5, or as a standalone license
• macOS 13 or later — older macOS versions have limited MDM support
• Apple MDM push certificate — required to manage any Apple device; configured once per tenant in the Intune portal
• Company Portal app — available free from the Mac App Store; used for user-driven enrollment
• Entra ID account — the user must have an Entra ID (Azure AD) account with an Intune license assigned

Step 1: Configure the Apple MDM Push Certificate

The Apple MDM Push Certificate authorizes Intune to communicate with Apple devices. You configure it once for your entire tenant and renew it annually.

1. Go to Intune admin center → Devices → Enroll devices → Apple enrollment → Apple MDM Push Certificate
2. Click Grant Microsoft permission and sign in with a work account
3. Download the certificate signing request (.csr) file
4. Go to Apple Push Certificates Portal and sign in with a dedicated Apple ID
5. Upload the .csr file and download the resulting .pem certificate
6. Back in Intune, upload the .pem file and complete the configuration

Store the Apple ID you use here — you must use the same account every year to renew the certificate. Using a different Apple ID invalidates all enrolled devices.

Step 2: Create a macOS Enrollment Profile

An enrollment profile defines how macOS devices register with Intune. For user-driven enrollment (the most common method), the profile is applied automatically when users sign in through the Company Portal app.

1. In the Intune admin center, go to Devices → Enroll devices → macOS enrollment
2. Select Enrollment program tokens if you use Apple Business Manager (for zero-touch deployment), or proceed with standard enrollment for user-initiated registration
3. For standard enrollment, no additional profile configuration is necessary — the Company Portal handles it automatically

Step 3: Assign Intune Licenses to Users

Each user who enrolls a Mac needs an Intune license. You assign licenses from the Microsoft 365 admin center or via PowerShell. Confirm that the user also has an active Entra ID account — without it, enrollment fails at the authentication step.

To check and assign licenses, go to Microsoft 365 admin center → Users → select the user → Licenses and apps → enable Microsoft Intune.

Step 4: Install the Company Portal App on the Mac

On the Mac you want to enroll, open the Mac App Store and search for Company Portal. Download and install the free Microsoft app.

Alternatively, your IT team can deploy the Company Portal app via Apple Business Manager or a script before enrollment, which is useful for bulk deployments.

Step 5: Enroll the Mac via the Company Portal

Open the Company Portal app and sign in with the user’s Microsoft 365 credentials. Follow the on-screen prompts to complete enrollment:

1. Sign in with your Microsoft 365 account credentials
2. Click Begin when prompted to set up device management
3. Download the management profile when prompted — this appears in your Downloads folder
4. Open System Settings → Privacy & Security → Profiles and install the downloaded profile
5. Enter your Mac administrator password to authorize the installation
6. Return to the Company Portal app and click Done

The enrollment process takes 2 to 5 minutes. Once complete, the Mac appears in the Intune portal under Devices → macOS.

Step 6: Verify Enrollment in the Intune Portal

After enrollment, verify the device appears correctly in Intune.

1. Go to Intune admin center → Devices → macOS
2. Find the Mac by device name or serial number
3. Check that the compliance status shows Compliant (or Not evaluated if no compliance policy applies yet)
4. Confirm the last check-in time is recent

What You Can Do After Mac Enrollment

Once a Mac is enrolled in Intune, you gain full MDM control. Specifically, you can:

• Deploy apps — push macOS apps silently to enrolled devices via the Intune portal
• Enforce compliance policies — require FileVault encryption, password complexity, and OS version minimums
• Apply configuration profiles — configure Wi-Fi, VPN, email, and certificates without touching the device
• Remote wipe — retire or wipe lost or stolen Macs remotely from the Intune portal
• Conditional Access — block corporate resource access from non-compliant Macs using Entra ID Conditional Access policies

For a broader overview of device management capabilities, see our guide on taking control of unmanaged devices with Intune.